What’s the best approach for building Bluetooth-based tracing apps as a way out of the pandemic lockdowns?

Posted on Apr 23, 2020 by Glyn Moody

As the coronavirus pandemic continues, governments around the world are desperately trying to find a way to ease current lockdowns without triggering massive new waves of infection by Covid-19. There is a wide consensus that one promising element of any plan is the use of tracing apps. As this blog wrote back in March, the idea is that people install software on their smartphones to keep track of who they have been physically close to. If someone is infected with Covid-19, a message is sent to people they were near to warn them. The consensus extends further to a general acceptance that the only practical technology for doing this is to use Bluetooth signals. Despite that general agreement, there is one area where there is a major argument brewing: over the best way to protect people’s privacy when they use these apps.

As another recent post noted, the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project seemed quite promising. But since then, doubts about it have begun to emerge. For example, people noticed that an option to use a decentralized approach was silently removed. Some governments have already announced that they will be drawing on its framework, notably France and Germany. However, criticism of PEPP-PT has been growing. An open letter from dozens of top researchers was highly critical:

Some countries are seeking to build systems which could enable them to access and process this social graph. On the other hand, highly decentralized systems have no distinct entity that can learn anything about the social graph. In such systems, matching between users who have the disease and those who do not is performed on the non-infected users’ phones as anonymously as possible, whilst information about non-infected users is not revealed at all.

As a result of doubts about PEPP-PT, an alternative, fully decentralized approach called DP3T has emerged. Backing has already come from some governments, for example those of Spain, Switzerland and Austria. Austria’s move came in part because of an analysis by Max Schrems and his NOYB organization of the existing official app from the Austrian Red Cross. Although generally impressed with the approach taken by the software, NOYB made 25 recommendations for ways to improve it, including adopting DP3T. Other countries – for example, Italy – are still considering how to move forward with a Bluetooth-based app. The Italian government has said that whatever form it takes, the code will be released under an open source license. Meanwhile, there have been other major developments. For example, Apple and Google announced they would be collaborating on Bluetooth-based tracing technology:

Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing. Given the urgent need, the plan is to implement this solution in two steps while maintaining strong protections around user privacy.

The companies’ commitment to privacy is proving rather too strong for some governments. France has asked Apple and Google to weaken privacy rules. Similarly, in the UK, the two companies have refused to support government plans for tracing because in their view it does no protect privacy enough. Despite this criticism, the UK’s National Health Service is going ahead with its own app, which stores information on a centralized database. Suspicions about what the UK government will do with the tracing data were heightened by a leaked document suggesting that ministers might be given the ability to order the “de-anonymisation” of people using the app – hardly something that engenders confidence.

Just how central mobile apps have become in dealing with Covid-19 is shown by a flood of documents and initiatives from the European Commission. These include a recommendation to support lockdown exit strategies using smartphone apps; an EU approach for writing efficient contact tracing apps to support gradual lifting of confinement measures; and the creation of a “Common EU Toolbox” for such apps. The European Commission is acutely aware that privacy is paramount, and issued guidance to ensure full data protection compliance of apps fighting the pandemic:

this document sets out features and requirements which apps should meet to ensure compliance with EU privacy and personal data protection legislation, in particular the General Data Protection Regulation (GDPR) and the ePrivacy Directive

In the US, the debate over the privacy implications of tracing apps has been less prominent. However, Senator Josh Hawley has asked Google and Apple CEOs to be personally liable for protecting the privacy of those using the two companies’ Covid-19 tracking software.

Alongside all these praiseworthy efforts to deploy technology to curb coronavirus infections while protecting privacy, it’s worth noting that criminals are also taking advantage of the general public’s increasing familiarity with the idea of using smartphones to alert people to infection risks. According to WJLA, deceptive text messages are being sent out with the following message:

Someone who came in contact with you tested positive or has shown symptoms for COVID-19 & recommends you self-isolate/get tested.

It then adds a link where people can supposedly gain more information, but which is used for nefarious purposes. As well as unfortunate for the people who fall victim to these scams, the appearance of these messages is extremely bad news for the whole idea of tracing apps, since people will be less likely to trust them for fear they may be fake.

Featured image by pxfuel.